Helping people with computers... one answer at a time.

https is an important part of keeping your data safe, but it's only a part. It's important to understand what it means and what it doesn't mean.

I'm confused. I keep hearing that https makes your connection to a a website "secure". What does that mean? Does it mean I can trust the site I land on?

"https", or secure http, is an important part of keeping your data safe.

But it's only a part.

Https connections do two things: they encrypt your data so that it is nearly impossible to sniff, and they provide an opportunity for your browser to validate that the website is who you think it is.

Let's look at each of those in a little more depth.

Encryption is simply a way of scrambling the information that you sent to a web site, and that the web site might send back to you. In an https connection it works both ways: data that you send, say an account name and password you enter in a login form, is encrypted and sent to the remote site where it is decrypted so it can be used. Data coming back, perhaps the amount of money you have in your checking account when you visit your bank's site, is encrypted by the web server, sent to your browser, and decrypted so that your browser can display it on screen.

Encryption is important because only you and the remote site can understand the data. Anyone in between ... say someone who's monitoring the information going to and from your computer ... sees only gibberish. It's an important way to keep your private data out of the hands of hackers and thieves.

Another important aspect of https security, is that it can be used to validate that the site you are connecting to really is who they claim to be. The server-side of an https connection uses information, called a certificate, which can be checked, and validated, against trusted authorities. If that check fails, then your browser will warn you. Perhaps the certificate has expired (though you should check your computer's clock if you see that), or perhaps the certificate does not actually match the site you think you're visiting. Both are things that should give you pause.

Now this server validation step is actually a kind of optional part of https. A server can elect to use an untrusted certificate - but every visitor to that site will get a warning that the certificate is not trusted. The data will still be encrypted.

Why would a server elect to do that? Well, certification costs money. Not a lot, but it is an extra step, and not all cases really require it. Sometimes encryption is enough.

Now, everything I've talked about so far is only about the technology of communicating between you and a web server. Your data is encrypted and you are talking to the web site you think you are.

But it tells you nothing about whether the site you are talking to is legitimate, or whether they are keeping your data safe once it's on their server. Your data arrived there safely ... but what did they do with it after that?

Any web site owner can easily, and inexpensively throw together https support. But an https connection doesn't imply that they are legitimate.

You still need to know who you're talking to. Make sure that you've got the website URL correct, and that they're a legitimate business. That's what phishing scams are all about ... trying to get you to visit sites that look legitimate, but aren't. And they might even support https.

(And don't forget to keep your side of the connection clean too - practice safe computing!)

Article C2421 - September 8, 2005 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

13 Comments
Ronny
September 9, 2005 1:05 PM

>Encryption is important because only you and the remote site can
>understand the data. Anyone in between ... say someone who's
>monitoring the information going to and from your computer ... sees only
>gibberish. It's an important way to keep your private data out of the
>hands of hackers and thieves.

If someone was monitoring my computer, how could https tell my computer what password to use to encrypt and decrypt the data without the person monitoring also getting the password?

Leo
September 9, 2005 1:34 PM

Because those passwords are never sent. Using something called public key cryptography, the sender can encrypt something with the public key that can only be decrypted by the private key. The private key is never shared, and is part of what the certification process validates. Obviously it's more complicated than that, but that's the basic idea.

Bob
December 8, 2005 1:33 AM

Hey Leo, good read - thanks for your time. One question though - is the URL for a https site passed in cleartext over the internet, for example would this be bad? http://www.somedomain.com/login.asp?username=bob&password=apples

santosh
June 21, 2006 11:57 AM

when a sniffer is active on the machine where the browser is launched (to visit a site say a bank site), & if the https is being used, the sniffer will not be able to catch the data supplied from the browser -correct?

Leo
June 21, 2006 9:05 PM

If the sniffer is actually running on the machine with the browser, then all bets are off. It's effectively spyware and can see everything.

However a "sniffer" is typically a different computer "sniffing" the network, and https is the way to be safe.

Daniel jenkins
September 12, 2007 7:53 AM

thanks Leo my life just got easier can you recomend a survey web sit that pays.???? and when they say spam free is it really spam free???

Roland Gonzales
April 26, 2008 11:07 AM

I have a additional question. I understand that SSL is used to encrypt data as it is sent on a wire. But if I'm using a non-encrypted wireless access point, am I venerable to have my data sniffed between my laptop and my WAP? I understand without wireless encryption the data is sent through the airwaves in plain text.

asdfasdfas
June 13, 2008 1:10 PM

Why don't you answer Bob's question?! I need to know! Are GET requests also encrypted?

Leo
June 15, 2008 9:56 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bob's example goes to "http" so of course it would NOT be
encrypted.

That same example, to a server that supports "https" would
be encrypted.

What matters is that the URL of the page getting the
parameters, be it via a POST or a GET be an https URL.

Leo


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFIVUnKCMEe9B/8oqERAtd7AJ4xwKv/XGJLCt7cZVw5BsTgybqhmACfSgYT
7LBS5HM9loiRsrnjTZwerhY=
=swIp
-----END PGP SIGNATURE-----

Aditya
November 2, 2009 6:36 PM

In the office, is your chat still can be read by network administrator even by using https? Thanks Leo!

Anonymous
December 22, 2010 6:23 PM

THIS KEEP COMMING UP ON MY COMPUTER WHEN I AM E-MALE MY SON ON CORRLINK AND IT REALL GET ON MY NERVE IF I PUSH YES IT COME BACK AND IF I PUSH NO IT STILL DO THE SAME THING

Jeff
April 12, 2011 1:02 AM

Why does Google calendar show a crossed out https in the URL bar (when browsing with Chrome)? What is crossed out https?

I've never seen a crossed-out one. Right click on the padlock for more information.
Leo
12-Apr-2011

abie gonzalez
May 1, 2011 2:47 PM

HTTPS connection keeps popping every move I make on web page. It is becoming a nusicances can you help.

I don't understand. "Https connection" isn't something that pops up. You'd need to provide more details including the full text of any error messages.
Leo
01-May-2011

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.